A serious security issue has been discovered in the TI WooCommerce Wishlist plugin, which is used on over 100,000 WordPress sites.
TI WooCommerce Wishlist Flaw
The flaw affects version 2.9.2 and all earlier versions, allowing unauthenticated file uploads—meaning attackers can upload malicious files without logging in. This vulnerability is tracked as CVE-2025-47577.
The plugin normally works with tools like WC Fields Factory to let store owners add wishlist features and custom forms. But due to a coding error, attackers can upload harmful files like PHP scripts, which could let them take full control of a website.
The problem lies in the tinvwl_upload_file_wc_fields_factory function in the plugin’s code. It disables WordPress’s normal file type checks by setting 'test_type' => false, allowing any file type to be uploaded.
These files can then be run directly on the server, leading to remote code execution (RCE).
A serious vulnerability in the TI WooCommerce Wishlist plugin can be exploited through helper functions like tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory. This only works when the WC Fields Factory plugin is also active—slightly narrowing the risk but still leaving many sites exposed.
This is a high-severity issue, as attackers don’t need to log in to exploit it. They can upload malicious code to your server, leading to data theft, full system compromise, or service disruption.
As of now, there is no patch available. The only safe action is to disable and delete the plugin to prevent attacks.
Users subscribed to Patchstack’s paid service (starting at $5 per site/month) are already protected against this flaw. A free Community account is required to access this protection.
Security experts also recommend that plugin developers and hosting providers explore Patchstack’s audit services and API to strengthen security across multiple sites.
The community is still waiting for an official fix from the TI Wishlist team. Until then, removal of the plugin is the safest course of action.
This incident is a strong reminder for all developers: never bypass default WordPress security checks, such as file validation. One small mistake can put thousands of websites at risk.
We will share updates as soon as a patched version is released. For now, prioritize security—stay alert and keep your WordPress site safe.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment